CVE-2023-40579

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-40579
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40579.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-40579
Aliases
Related
Published
2023-08-25T20:15:08Z
Modified
2025-01-14T11:54:55.908978Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using ListObjects with specific models. The affected models contain expressions of type rel1 from type1. This issue has been patched in version 1.3.1.

References

Affected packages

Git / github.com/openfga/openfga

Affected ranges

Type
GIT
Repo
https://github.com/openfga/openfga
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.4.0
v0.4.1
v0.4.2
v0.4.3

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0